I used standard modules and delegate_to to come up with a pretty nice way of doing this:

I want to create a user on my bastion server(s) and create a key pair for that user and upload the public key to the user's authorized keys on all of my web servers for example.

First in my webservers role I make sure the user has been created:- name: Create web server admin user user: name: myadmin state: present

Then in my bastion server role I want to create the admin user and generate a key pair at the same time (the registered variable will have the user's public key):- name: Create admin user with ssh key pair user: name: myadmin generate_ssh_key: yes state: present register: myadmin

In that same bastion role I want to install the public key to all of my web servers (this is where the delegate_to comes in)- name: Install myadmin public key on every web server authorized_key: user: myadmin key: "{{ myadmin.ssh_public_key }}" delegate_to: "{{ item }}" with_items: "{{ groups['webservers'] }}"